security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#4117)

Browse Source 
* [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml
This commit is contained in:
Jonhnathan
2024-10-11 13:46:57 -03:00
committed by GitHub
parent f021229da4
commit 1d9cb6a195
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/credential_access_forced_authentication_pipes.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/23"
integration = ["endpoint", "system"]
maturity = "production"
updated_date = "2024/08/09"
updated_date = "2024/10/01"
[rule]
author = ["Elastic"]
@@ -57,8 +57,8 @@ type = "eql"
query = '''
sequence with maxspan=15s
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace
[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace
'''